[Snort-sigs] Magic Trojan

Joel Esler jesler at ...435...
Thu Apr 18 14:03:12 EDT 2013


On Apr 18, 2013, at 1:40 PM, James Lay <jlay at ...3266...> wrote:

> Silly name, but eh:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
> (msg:"SPECIFI-THREATS Magic Trojan"; flow:established,to_client; 
> file_data; content:"some_magic_code1"; depth:20; ; fast_pattern; 
> reference:url,http://www.seculert.com/blog/2013/04/magic-persistent-threat.html; 
> classtype:trojan-activity; sid:10000046; rev:1;)


I cleaned the rule up and it will ship as SID: 26467.

Thanks James!

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130418/6b59db29/attachment.html>


More information about the Snort-sigs mailing list